Data Protection

In January 2012, in the case of Digital Rights Ireland Ltd. v The Minister for Communications & Ors., the High court referred certain questions to the CJEU (ECJ) under Article 267 TEU. In the events that happened the ECJ struck down or found invalid Directive 2006/24/EC in the course of the hearing of the referred questions. The High court is now hearing the parties (Digital Rights Ireland Ltd. and the Minister for Communications & Ors.) in the resumed proceedings, interrupted […]

If you do not know about the personal data you hold, you cannot comply with the GDPR. So, trace the flow of personal data in your company. Bear in mind that the personal data of employees is covered by the GDPR. Compliance with the GDPR will involve those self-same employees. They will need training in the application of the principles of the GDPR in your organization. Possibly you are obliged to appoint a Data Protection Officer (DPO). If so, even […]

There is probably a book yet to be written on the interplay between the General Data Protection Regulation and Brexit, but some elements can be seen now. Unusually, the GDPR permits the introduction of some national legislation on data protection issues. They include occasions where a legal obligation mandates the processing of personal data, or the processing relates to a public interest task, or the processing is carried out by a body with official authority. There are others. As a […]

The EU deferred the application of the GDPR personal data rules for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject. Personal data, collected by you, is not owned by you. Think of it as money. Less than one year from now, your organisation must be able to account for personal […]

Here is news that was not (to my knowledge) on RTE. Deep Root Analytics maintained a database on an estimated 62% of the population of the USA. It contains what is known as “sensitive” information on the population. It is being used to profile the US population. The GDPR is designed to prevent the processing of exactly such a database as Deep Root Analytics possesses. Companies like Deep Root Analytics believe that the information they have collected is theirs, not […]

When the EU passed the GDPR as directly effective law it deferred the implementation of the GDPR for two years to allow organisations to make the necessary changes to comply with the law. One year of that two year period has passed. Many companies and organisations have not even begun to make the necessary changes. For some of them, there is not now enough time to make the necessary changes to reach compliance by 25th May 2018. There is a […]

Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, these will come as new principles in data protection implementation to many of the organisations obliged to adopt those principles before 25th May 2018. That’s the date the Regulation comes into force. Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of data processing activities. Implementation of privacy by design and by default should […]

Less than one year from now every business holding (i.e., processing) personal data will have undergone a significant process of internal change or will, more likely than not, be in breach of the GDPR. The change process will have started at the top of the business and will have devolved downwards in the form of training (and other changes). With a considerable amount of work businesses can make the necessary changes. Those businesses that succeed in changing and adapting will […]

If you belong to some form of “circulating library” of personal data, less than one year from now you will encounter an excruciating dilemma. Under Article 14 of the GDPR you must notify the data subjects, whose data you have just received, of that fact and of your intentions with regard to the data. If you fail to do that you will be in breach of the Regulation. If you do it, the data subjects may direct you to delete […]

The General Data Protection Regulation (GDPR) comes fully into effect on 25th May2018. I suggest this soundbite to sum up the GDPR; “Nothing about me without me”. The phrase is not new, it comes most recently from the UK National Health Service in the terms “No decision about me without me”. Under the GDPR, processing of personal data (possession is processing) must be legal; it must be lawful. Each act of processing must be confirmed to be lawful anddocumented. That […]